Four zero-day exploits add urgency to October’s Patch Tuesday

October brings four zero-day exploits and 74 updates to the Windows ecosystem, including a hard-to-test kernel update (CVE-2021-40449) that requires immediate attention and an Exchange Server update that requires technical skill and due diligence (and a reboot). The testing profile for the October Patch Tuesday covers Windows error handling, AppX, Hyper-V and Microsoft Word. We recommend a Patch Now schedule for Windows and then staging the remaining patch groups according to your normal release pattern.

You can find more information on the risk of deploying these Patch Tuesday updatesin this infographic.

Key testing scenarios

There are no reported high-risk changes to the Windows platform. However, there is one reported functional change and an additional feature added:

• As always, confirm that printing performs as expected with physical printers and virtual printers. Verify there are no issues with printer drivers. We suggest an assessment of which printer driver software is still using 32-bit code for application management.
• Test your non-English websites, looking for broken or uneven characters in Thai, Lao, Korean, and Arabic.
• The Active Directory feature BanndIP has been updated. We suggest validating AD authorization for both active and passive network traffic. You can find out more here.
• Microsoft has updated the media codec, so testing large image and video files should be part of the testing plan.
• The STORPORT.SYS component was updated this month, so check applications that depend on this Windows feature.

I think it is now safe to say that the Microsoft AppX format was not as widely adopted in the enterprise as expected. Even so, there were significant upgrades to Microsoft AppX containers and deployment tools included in this October update. If you have an enterprise Microsoft “store” for your applications, we recommend installing/uninstalling both your AppX applications and their associated runtimes.

On the topic of lesser-used Windows features, the Microsoft NTFS file system was updated to include a fix for symbolic links (helpful with UNIX migrations). If you are in the middle of a large UNIX migration, you may want to pause things a little and test out some large (and parallel) file transfers before deploying this update.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the  update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:

• Devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.

Major revisions

At the time of writing this for this July update cycle, there were two major updates to previous released updates:

• CVE-2021-38624: Windows Key Storage Provider Security Feature Bypass Vulnerability. This is Microsoft’s third try at patching this Windows key storage component, and unfortunately a major upgrade was required. This month’s affected systems include Windows 11; Microsoft strongly recommended that immediate action be taken to update systems.
• CVE-2021-33781: Azure AD Security Feature Bypass Vulnerability. Again, another third try to resolve this issue. However, for this Azure AD issue, these latest changes are more informational (correcting CVE titles and documentation) and include an updated affected system list to include Windows 11. No further action required here.

Mitigations and workarounds

• CVE-2021-40444: Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Windows. The company is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, not yet).

Browsers

Microsoft published 33 updates to the Chromium-based Edge browser this cycle. Given how Chromium does not integrate deeply into the desktop or server operating system, potential collisions or dependency issues are unlikely. You can find out more about the Chromium project’s update cycle andrelease notes here. 

However one of the key components (IEFRAME.DLL) of Internet Explorer (IE) was updated this month. It is possible that third-party applications and in-house developed software may depend on this key library. For this particular update, It looks as if Microsoft has changed how browsers tabs are handled, particularly how they are created. If you receive “Invalid Pointer Bad Ref Count” (or similar) errors in your testing, it may very well be related to this update to the core Internet Explorer system libraries (DLL’s). Add both of these groups of browser updates to your regular update schedule.

Windows

This month, Microsoft published four critical updates for the Windows ecosystem and a further 45 patches rated as important. Unfortunately, update CVE-2021-40449 for the Windows Kernel has been reported as exploited. This pairs a difficult-to-test, low-level update to Windows core systems with an urgency to mitigate or patch. We have included testing guidance in a section above that covers a lot of this month’s Windows changes. However, testing kernel updates is very tough. Test your core apps thoroughly, release your updates in rings or stages, and add this update to your Patch Now schedule.

Microsoft Office

Microsoft released 16 updates to Microsoft Office and Microsoft SharePoint, with one rated as critical (CVE-2021-40486) affecting Microsoft Word and the remaining patches affecting Excel and SharePoint. The Word security issue, while serious, has not been publicly disclosed and there are no reports of exploits in the wild. Note: SharePoint will require a reboot after its update. We recommend adding these to your regular patch release schedule.

Microsoft Exchange Server

Unfortunately, Microsoft Exchange Server updates are back for October. There are four patches for Exchange Server (both 2016 and 219), all rated as important. However, CVE-2021-36970 has a base rating of 9.0, according to the vulnerability rating system CVSS. This is really high (meaning serious) and usually would warrant a critical rating from Microsoft. However, due to the limitation of the “scope” of vulnerability, the potential damage is much reduced.

Microsoft has published updated documentation detailing a number of known issues relating to this month’s Exchange Server patches where a manual application of MSP files does not correctly install all of the necessary files. In addition, misapplying this update may leave your Exchange server in a disabled state. This issue applies to the following October updates:

• CVE-2021-26427 | Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-34453 | Microsoft Exchange Server Denial of Service Vulnerability
• CVE-2021-41348 | Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2021-41350 | Microsoft Exchange Server Spoofing Vulnerability

This installation issue is a particular concern when applying updates using User Account Control (UAC), and does not happen when you use Microsoft Update. Otherwise, note that this Exchange update will require a server reboot; we recommend adding this update to your regular update schedule.

Microsoft Development Platforms

Microsoft released three updates to Visual Studio and one patch for .NET 5.0 this month. All were rated as important by Microsoft and at worst could lead to information disclosure or “denial of service” (application specific and localized). The Visual Studio updates are very straightforward and should be included in your standard development release cycle.

Adobe (really just Reader)

Adobe released four updates to its core Reader product group with security bulletin APSB1221-104. Two of these updates (CWE-416 and CWE-787) are rated as critical by Adobe. While both of these have CVSS scores of 7.8 (which is pretty high for a PDF reader) they do not require an urgent update. Add these to your regular update schedule.